The study revealed that two-thirds were infected with malware, and quickly uncovered information about many of the former owners of the devices, their family, friends and colleagues.

Disturbingly, none of the owners had used any sort of encryption to secure their files against unauthorised snoopers.

The prepositionless Rail Corporation New South Wales - more commonly known as RailCorp - is one of the oldest continuously-operating railways in the world.

Despite reshuffling, reorganisation, renaming and various fragmentations and privatisations over the years, passenger services in the Greater Sydney metro area (CityRail) and further afield (CountryLink) operate on a network which celebrated its 150th anniversary back in 2005.

The railway system serves a sprawling conurbation of some five million people in and around Sydney, plus a state bigger than Texas beyond that.

With travellers packed into crowded double-decker trains for the rush-hour commute, you can imagine how much personal property gets lost each year.

2011 was no exception. One commuter, who was never traced, even managed to leave behind a rare and valuable 1865 Franz Diener violin, causing wags to remark that it may actually have been lost when still brand new, but delayed for 146 years by trackwork on the North Shore line.

Unsurprisingly, USB keys are lost on RailCorp trains quite literally by the bucket-load.

With a current retail price in Sydney of less that AU$7 (about £4.50) for a 4GB device, replacing a USB key costs less than a pint of beer.

But what about the cost of losing a USB key's worth of data? Just as interestingly, what about the cost of finding a lost or discarded key?

We wanted to find out, so we attended this year's lost property auction and bought up a collection of pre-owned USB sticks.

Here's what happened.

We had $400 (£260) to spend, which we assumed would be enough to buy at least 100 keys to play with. But the auctioneer was in good form, and the mood on the floor was upbeat and competitive.

So our first surprise was the price.

We ended up with Lots 671, 672 and 674: bags containing a motley assortment of 20, 21 and 16 keys respectively. For this rag-tag collection of 57 USB sticks, we paid $409.96 once the auctioneer's 16.5% fee was added in. We could have bought brand-new for slightly less than half that price.

Five of the keys were broken, including the two novelty items in the set (a car and a Lego-like block). Two of the rest were unreliable, so we excluded them, although one gave up just enough data to reveal an Autorun worm but little else.

That left a conveniently-round number of 50 devices in the test.

If you're precise and statistically minded, you'll be happy to know that the total capacity of the 50 devices was 137,454,133,760 bytes. The mean was 2,749,082,675 bytes and the median key capacity was 2,019,557,376 (2GBbytes). The keys ranged from 256MB to 8GB.

All the keys had been formatted to contain a single FAT volume. Six were formatted like old-school floppies, with the entire device given over to the FAT volume. The remaining 44 had a Master Boot Record, like a hard disk, with a single active partition for the data.

Our second surprise was the prevalence of malware.

Two-thirds of the keys (33) were infected. We found 62 infected files in total. The worst key contained six infected files, representing four separate items of malware. The malware counts were as follows:

We didn't find any OS X malware. But nine of the keys appeared to belong to Macintosh owners (or at least had been used extensively on Macs); seven of these were infected.

In other words, if you're a Windows user, don't assume that you can automatically trust everything that comes from your Apple-loving friends. And even if you're one of those Mac users who is opposed to the concept of anti-virus software, consider softening your stance as a service to the community as a whole.

Our third surprise was something of a mixed blessing.

The good part is that we didn't find any obvious "smoking guns" on any of the 50 keys. There were no visible plans for nuclear submarines, no insider trading tips, no credit card dumps, no criminal plots, and no US State Department cables dating back to the 1970s.

Of course, this was an experiment rather than an intelligence-gathering exercise. Since we didn't spot anything on the surface that was obviously in the public interest to expose, we decided to err on the side of caution and to avoid learning too much about the original owners of the keys.

So, we didn't dig anywhere near as deep as an unethical hacker or a serious investigator would have. In particular, we didn't analyse every byte of every file, or search systematically for keywords across slack space, or try to reconstruct deleted files.

The bad part of this is that even with the most cursory automated analysis, we were able to reveal a good deal of personal information about many of the people who had lost these keys, and about their families, friends and colleagues.

One person went to the trouble of writing his name on his key in indelible ink, which tied up nicely with the name recorded in the Document Properties metadata in his Word and Powerpoint files.

We identified 4443 directly-accessible files on the 50 devices, broken down as follows:

The files included:

* Lists of tax deductions.
* Minutes of an activists' meeting.
* School and University assignments.
* AutoCAD drawings of work projects.
* Photo albums of family and friends.
* A CV and job application.
* Software and web source code.

Our fourth surprise was that none of the keys was encrypted, or appeared to contain any encrypted files.

All the devices were openly readable at sector level without any decryption, were directly mountable as FAT volumes without a password, and consisted of plaintext files in a conventional directory structure.

Don't be lulled into thinking that your personal data is unimportant unless you're a high-flying executive or have pots of money. Information about you is worth money to cybercriminals.

And the crooks don't need to be directly involved in identity theft themselves - there's an underground market for selling on personally identifiable information of all sorts.

What can we learn from this? Here's a three-point plan:

1. Do your research before attending IT auctions. It's easy to get carried away and pay too much - and don't forget the auction fees on top of what you bid.

2. Use an anti-virus and keep it up to date, even if you have a Mac. An infection rate of 66% means there are a lot of malware-spreaders in our midst.

3. Encrypt personal and business data before you store it on a USB key so it can't be accessed if you lose the device.

43 Responses to Lost USB keys have 66% chance of malware

More than double the price, by my measure. We spent just over $8 each for USB keys which averaged 2GB each; brand new 4GB keys of similar performance are just under $7 each at the closest Officeworks.

(I say "of similar performance" because two of the keys in the set of 50 are exactly the same model as the $7 jobbies just up the street :-)

I've had emails from people saying, "Perhaps the other bidders wanted the data, not the keys, and pushed up the price?" But other items - e.g. laptops, which were announced as pre-wiped by the auctioneers and thus unattractive to ID thieves - were going for silly money on the day, too.

I put the price down to sufficiently many ill-informed buyers and an auctioneer who could work the room.

I'd be curious to know who else is purchasing them and why. No doubt people with less noble purposes than Paul. . . this would certainly explain a price higher than brand new thumb drives.

What's a couple hundred bucks, after all, if you can compromise someone's bank account or lift confidential corporate data or pictures and videos that were never intended for public viewing?

Paul, if one understands that university assignments (or any other documents) on a thumb drive are easily lost, and fully accepts that their content may become public, is there any unforeseen risk to carrying them around on a USB stick unencrypted? I typically only do it with presentations, which I plan on delivering publicly to at least a small audience anyway.

In this case, as I argued above, I think the high prices can be explained by auction fever rather than by seditious activity. I'd imagine if you were serious about ID theft you'd try to strike a pre-auction "joblot" deal for all of them by posing as a refurbishment company or a charity wanting to have keys to donate...

If you're writing unencrypted data to a USB drive, just assume that each sector you write will be there for ever. (It probably won't, but it might remain un-re-written, even after deletion, for a long time.) As long as you only ever write data which you accept may become public, you're good to go.

I do the same as you - put a preso and related material on a key. Go on the road and give the preso. Return home.

Then I wipe the key so that on next use, I don't have to remember what was on it before. On OS X, this does the wiping trick:

It is my understanding that wear leveling on flash media can mean that overwriting a file doesn't actually write the new data to the same sectors as the original file, thus dd and most simple wipe utilities that are designed around this procedure (which works fine on magnetic media) don't actually delete the date, just hide it...

Using 'diskutil secureErase' or 'dd' on the raw device means you aren't overwriting an individual file. You're writing as much data to the device as the device claims to be able to store.

So the device has to save that many zeroed-out sectors _somewhere_ in its storage.

Unless the device has at least twice as many physical sectors as it publicly advertises, that must overwrite _some_ data. Now, I don't know how many "spare" sectors the average flash device has, nor how sophisticated its low-level sector-remapping firmware might be.

But at $7 retail for a 4GB USB key (or perhaps half that for savvy buyers in Haymarket or Chinatown), I'm prepared to assume the answers are "not that many, and not that sophisticated", and thus that a whole-device 'dd' makes it impracticable to retrieve anything useful afterwards.

For $500 SSD drives intended for use as live OS disks, the number of "spare" sectors and the intelligence of the underlying firmare is no doubt higher, so your 'dd' kilometerage might vary. That sounds like an experiment worth doing...but not one which our $400 budget would have stretched to :-)

Just a thought or two here. The first thought that came to mind was to wonder how many of the keys found on trains are planted there as a virus spreading device? How often does a person find something like that and plop it in their computer to see what's on it?
Other thought, the sample size just is too small. It's a shame that the price was so high, they should have been sold by the bucket, not bag.

A bunch of emailers have asked, "Was this some kind of deliberate malware seeding?"

I strongly doubt it. In particular, the malware involved was mostly very prevalent, general-purpose, zombie stuff (there was even a Conficker in the "other" category :-).

Why plant USB keys on trains (many of which don't get plugged in - they get handed in to lost property, as we found) when you can just use the internet and save yourself a lot of money.

Sadly, I think the malware prevalance tells a simple story of poor PC hygiene, rather than an esoteric story of deliberate hacker activity on the 5.38 service to Parramatta, first stop Strathfield, then all stations to Blacktown, please mind the gap between the platform and the train.

If people are going to get the viruses since they have bad protection it would be much easier to spread the viruses through the internet, so paying $7/USB is a pretty ineffective way unless someone works for a corporate company who has bad security.

If you are running a (licensed) Windows OS computer the use Microsoft Security Essentials. It's free, and updated automatically if you set it to. Don't forget to security patch your PC also. This can be set to automatically update also.

In truth, it was a slightly cheeky remark, since the North Shore line (which I chose to mention because it passes close to Sophos's North Sydney office) only opened in 1890.

Indeed, it was extended southwards to North Sydney only in 1893, and extended across the harbour and into the rest of the network only in 1932 (when the Harbour Bridge opened).

Hmmm. Perhaps that explains the delayed violin after all! 25 years in Hornsby waiting for a station in the first place; three years at St. Leonards waiting for the line to extend to Milsons Point, then a further 39 years for the bridge to be built...that's 67 years of trackwork just to get into the city centre.

Well, they weren't "lost", they were lost - even in strict legal terms, as far as I can see. Not sure why you needed the air-quotes.

And the "location" (you've got me doing it now!) was quite broad and probably representative of many others in the world - a large Anglophone metropolis in a developed economy with a Western-style democracy.

Also, the report is pretty clear about its limitations, wouldn't you say? Only 50 keys, only keys recovered from rail users, only rail users from the New South Wales passenger train network, only basic scrutiny of the data, no forensic-quality recovery.

Additionally, I made sure to point out that the data I found wasn't terribly dramatic or exciting, but somewhat revealing nevertheless.

Strictly speaking, the study shows merely that Sydneysiders who use heavy-rail public transport and who are careless with their personal property are probably also casual about malware and PII.

Nevertheless, I was pretty surprised at the 66% malware figure, and interested to see that no-one seemed to have cared to use encryption at all.

That shouldn't scare anyone, but it probably ought to make people think about their own attitudes to malware and PII...

(And if, as you say, the malware risk is much larger than just a problem of infected USB keys - of which we found many without really trying - then that just makes the whole thing more serious, does it not? :-)

Hmmm... sounds a bit like you're in denial or is it just your naivate?

USB infections are more prevalent than you would think. About a third to half of the detections (alerts) we get in our company comes from USB connected devices, including SD card readers. Yes, even innocent looking camera SD cards can and do get infected.

I never trust a USB device from someone else unless it has been scanned and cleaned first.

"One commuter, who was never traced, even managed to leave behind a rare and valuable 1865 Franz Diener violin, causing wags to remark that it may actually have been lost when still brand new, but delayed for 146 years by trackwork on the North Shore line."

Classic stuff! and a nice article all round which I thoroughly enjoyed reading. Nice one! :)

I don't want to post this comment in an offensive way, but seeing as you're speaking about security, something if wrong in your post.

See, you're directly linking us to an .exe file (the encryption tool @ Sophos), and I infer we're trusted to click this link if we are interested.

This is encouraging a very, oh so VERY WRONG behaviour, to click on an executable found on a webpage, you know :)
You'd better link to Sophos.com or to an internal page of that website, I think this would be more responsible ;)

Anyway, thanks for the interesting note. I can't help wanting to go and scan my USB keys for viruses now -_-

Now, I could have linked you to a second download page, on which you could have clicked a link to the executable. That might have made you feel better, but I'm not sure why it would actually be more secure. Similarly, we could have pretended it wasn't an EXE by packaging it as a ZIP, but the final result would be the same: you'd be downloading and running an EXE from Sophos, just with more work on your part.

FWIW, there is a special download page for the Free Encryption program on http://www.sophos.com. But it makes you go through a download gate (a form you have to fill in) before it presents you with exactly what I did above: a link to the same EXE file. And our readers have told us - in much stronger terms than your comment here :-) - that they Don't Like Download Gates.

(One admitted advantage of a download page is that it can more gracefully deal with things like updated versions, or the future retirement of the product, or caveats about using it. But in the end, it still links to an EXE.)

Interesting stuff. I'm now thinking I should start encrypting my USB keys... Although the Windows .exe you linked to isn't going to be very useful to me, since my primary computer is a Mac and my secondary one is a netbook running Ubuntu Linux. (Also, I totally second Oliver's comment above - linking directly to a .exe file encourages bad habits among users. Yes, I know it's your file and therefore safe - but still. Better to link to a download page.)

And actually, the dual-platform issue there (sometimes triple, since I occasionally use USB keys to exchange data with Windows machines as well) poses an interesting question: is there any way to encrypt data on them that will work reliably across all three platforms, so that if I put some files on there with my Mac and then want to access them on my Linux netbook or a client's Windows PC, I can decrypt them anywhere?

Oh, and speaking of Mac stuff: I am not "one of those Mac users who is opposed to the concept of anti-virus software". I would dearly love to be running your free Mac anti-virus program. I am, however, one of those Mac users who tried running it and found that it totally crippled my computer. It was fine for the first day or so, and then everything began to run progressively slower and slower until programs were taking 20-30 minutes to launch, and even opening a finder window or a new browser tab meant I should probably go make some tea while I waited. I ended up having to reboot in safe mode to disable it, and remove it via a Terminal command.

I assume this has not been everyone's experience, but when searching online for info on how to deal with it (via the netbook, obviously), I did find that quite a lot of other people had had this problem with it. Has there been any progress on making it run less obtrusively? I'd really love to be able to have some anti-virus protection, especially since I regularly exchange files with Windows users and don't want to accidentally infect them with malware even if it's something that wouldn't actually hurt me. But not at the cost of being able to actually use my computer. :-(

You don't say to what level you require the encryption to be, nor how robust against varying forms of attack, but have you looked at TrueCrypt? It is free Open-Source & easy to use, with good documentation. They state support for the 3 OS' you use - I have used it between Linux/Win, but not Mac.

There is a section in the documentation 'Security Requirements' which gives lots of information about, among other things, limitations.http://www.truecrypt.org/

What I find interesting is that CityRail are not wiping the keys prior to sale. In this case it made for a good story, but a better one would be that you found absolutely nothing at all due to the diligence of the authority. I feel that the seller should be responsible for preventing data leaking, even if it is not directly their data, after all they are profiting from selling the device.

I have thought long and hard about this. I don't think that RailCorp should be obliged to wipe the data, in much the same way that I think that don't ISPs should be obliged to watch your internet traffic and block pirated stuff. It's not data which RailCorp collected for its own use, after all.

Apparently NSW Privacy thinks RailCorp should be wiping the keys, but I think NSW Privacy should be frying bigger fish - notably, companies which do collect my data for their own commercial purposes, and then are casual with it.

IIRC RailCorp did wipe the laptops they sold at the auction. But if you oblige them to wipe the USB keys, which will cost way more than they can be sold for, even at the double-bubble prices we paid, then they'll have to start destroying them instead. That would be rather an environmental shame - we're enough of a disposalist society already, I reckon.

It's one thing to say that RailCorp needs to protect people from themselves when they use the rail network, e.g. by reminding people to mind the gap between the platform and the train. It's quite another to say that they have to protect their customers from making IT blunders whilst they're on the train, too.

What next? Will RailCorp be expected to police the trains looking for people using unsecured 3G wireless hotspots on their daily commute? For iPhone users who haven't set a device passcode?

It would be nice if they had the spare change to offer such services (though I wouldn't like to be the security guard who tried to hand out IT advice to unsuspecting travellers :-) But I'd rather they concentrated on a decent, anonymous, stored-value, contactless, integrated ticketing system first...

theres a difference between wiping data and watching internet traffic. Its kind of like saying, if your neighbour leaves his door open, you are free to walk around in his house, because its his own fault. Versus, if your neighbour leaves his door open, you dont have to monitor his house for burglars.

Two totally different things relating to the same type of issue.

You should go and close the door instead.
Im sure it doesnt take much for railcorp to greet the usbs with a hammer or chuck it in their company secure file destruction bin.

also, isnt there some law saying that if you find lost property, you are obliged to find the owner, and if you cant then only then you can keep it. Im sure it doesnt take that much effort to track down someone who left their CV on their USB

I hope you tracked down the owners or wiped these drives afterwards (assuming you didnt steal someone's intimate pictures of their wife or something first)

Entirely with permission. I corresponded with the journo who wrote that story this morning and sent him a substantial chunks of this response. It first appeared on the Sydney Morning Herald webite; the Mercury has published it too (same owner - Fairfax).

Guessing that wasn't the starting bid price, just who else was showing such a strong interest in aquiring those USB's?
I'll guess here and say the starting bid was most likely below $50 for each of the lots - so that means someone else want them enough to drive prices beyond what a casual bidder might do.

I touched on this above - we formed the opinion that the high prices were an unexceptional side-effect of a good auctioneer and a competitive atmosphere, rather than because of any unhealthy interest in the data.

Laptops sold at the same auction were similarly over-bidded, even though they were declared to be "already wiped" (and would thus have been passed over by identity thieves).

Auctions can be like that. People either don't know or lose track of the true value of what they're bidding for, get into the whole competing-to-win thing, and the auctioneer cashes in.

I also was suspicious of the .exe file.
Safe or not, it had no identifiable digital signature, no email address, and no time stamp. It will not be run, even though the current AV has not detected any threats.
A more thoughtful delivery mechanism is needed.
MJZ

I accidentally left my laptop bag (no laptop - just personal papers) at Wynyard Station in July. I realised immediately and got onto CityRail and spoke to Wynyard Station staff who said it was gone. I contacted CityRail lost property the next day and left all my details with them. There was a USB stick in the bag that contained all my university assignments and some historical family photos with great sentimental value to me. The papers left in the bag could clearly identify me, as could the documents on the USB. So why the hell is CityRail selling items that are easily identifiable? Especially when they charge people to retrieve lost property? This is a serious privacy issue, and CityRail Lost Property staff are clearly incompetent.

It's possible, of course that your bag was was stolen by an opportunistic fellow-traveller and never handed in to CityRail. That would explain why your property was never returned. If your bag had been handed in promptly and intact, I'd hope that you would have been reunited with it.

If you have evidence that your bag was formally handed in to CityRail but then processed improperly - read "was nicked by someone in Lost Property" - you should probably go to the police.

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.
Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009.
Follow him on Twitter: @duckblog